[check_postgres] more secure nagios checks

[Greg Sabino Mullane]

Robert Treat wrote:

> I've got a system that has some relativly high security needs that I want to 
> use check_postgres / nagios on.  Currently some the checks I want to use 
> require superuser acess (like check_postgres_wal_files), but I'd rather not 
> put a superuser account into my nagios config. In theory it would be easy to 
> wrap the checks into a security definer function and have a non-super user 
> call them, but I'm not really eager to make a quasi-fork of check postgres. 
> So, before I do that, I thought I'd ask if anyone here has had a similar need 
> and come up with a work around for that? Alternativly, if I do have to go 
> through rewriting the checks, does anyone have an interest in using them? TIA

This should be possible by playing with the search_path, as CP explicitly does
/not/ hardcode the schema name before the internal tables and functions. Thus,
you can call it with a non-superuser that has a "something before pg_catalog"
search path such that foobar.pg_ls_dir is used by CP. For an example of this in
action, see some of the new unit tests, specifically 02backends.t, which creates
a "fake" pg_stat_activity table to do the testing with.

If this *does* work :), please submit a docs patch.

-- 
Greg Sabino Mullane greg at endpoint.com
End Point Corporation
PGP Key: 0x14964AC8

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 226 bytes
Desc: OpenPGP digital signature
Url : https://mail.endcrypt.com/pipermail/check_postgres/attachments/20090309/08d7e995/attachment.bin